Printable Version of Topic
Click here to view this topic in its original format
Jcink.com Forums > General Support > spambots?


Posted by: abbieleone Jan 4 2017, 12:59 AM
it's just started today, but we've had several of http://fromthisvalley.b1.jcink.com/index.php?showtopic=25714&hl= sort of advertisements show up on the site- it seems like spambots, but I'm not even sure if thats possible! Not sure if you can see the link since we've moved the threads to the trashcan.

Thanks in advance <3

Posted by: SithLordOfSnark Jan 4 2017, 01:34 AM
That can't be viewed by anyone that isn't staff of your site, but if it's what I think it is, the same is happening on Caution lately.

Posted by: charlotte1912 Jan 4 2017, 02:05 AM
We have been getting this the last 24 hours as well. All seem to be from IP's that are from the Russian Federation according to the IPlocation facility.

http://heartofthewest.jcink.net/

We have banned the IP's and deleted them to the trash can of the site, but here are two example screenshots of the 7 we have had so far. Some are in Russian and others in English.

http://cdn.nickpic.host/images/hERbq.png

http://cdn.nickpic.host/images/hE16d.png

Is there anything else we can do? It's happening in the guest friendly area for advertising other RPG sites.



Posted by: charlotte1912 Jan 4 2017, 08:37 AM
Here is one that I didn't delete:
http://heartofthewest.jcink.net/index.php?showtopic=1034&st=0&#entry3553

EDIT:

It is now deleted as we have been hit multiple times since this one.

Posted by: John Jan 4 2017, 08:45 AM
Please provide the IP(s) so I can see if it's one specific data center or all spread out and see where they've been as well.

Guest forums tend to be a hotbed for spam in general, so this is always a challenge.

Posted by: abbieleone Jan 4 2017, 01:03 PM
78.109.24.109 192.36.27.6
Those are the two I have on hand, I'll post the rest when I get home.

Posted by: John Jan 4 2017, 03:29 PM
Two different countries there, hmm, so that's not good. We might have to start scanning every guest IP address during posting to see if they're in a spam database unfortunately. I'd like to not have to do that but if this becomes a problem that will be the only option we've got. Please let me know if you keep getting these.

Posted by: charlotte1912 Jan 4 2017, 04:37 PM
Here our ours, list as follows: (in order of hit date and time - oldest to newest)

164.215.87.7

188.168.150.34

46.191.170.95

94.41.113.249

94.41.217.253

95.154.150.75

141.105.42.92

46.191.171.253

136.169.193.91

2.92.25.26 ( x2)

79.134.206.178

EDIT: We did a blanket IP ban on a few of these e.g 79.*.*.* and 141.105.*.* The last one was approx 1:30pm EST

Posted by: John Jan 4 2017, 05:02 PM
Ok,

I have looked up each one of those IPs and their ranges, most of them have been associated with ranges that were caught spamming according to sfs.

So I have walled that group and as well any subgroups (wherever you see a /24 in this list, 255 ip addresses within that same subnet have also been banned) from the system, although I don't think this is going to be super effective at all unless they are just using the same IPs over and over again.

CODE
deny 164.215.87.7;
deny 46.191.170.0/24;
deny 94.41.113.0/24;
deny 94.41.217.0/24;
deny 95.154.150.0/24;
deny 141.105.42.92;
deny 46.191.171.0/24;
deny 136.169.193.0/24;
deny 2.92.25.0/24;
deny 79.134.206.0/24;

I would NOT do a blanket ban on 79.*.*.* -- this bans way too many valid users.

Posted by: charlotte1912 Jan 4 2017, 05:34 PM
So would blanketing anything with just the first number say 188 and then *.*.* also be too limiting? What would you suggest as an alternative?

Posted by: John Jan 4 2017, 06:38 PM
Block /24's or: example 2.92.25.*

At maximum, block 2.92.*.*

This may be something we have to address at a higher level though with checking every guest post's IP, cat & mouse of blocking IPs doesn't sound like it will be effective here.

Posted by: charlotte1912 Jan 4 2017, 10:08 PM
And one more for the list:

176.214.149.255

They are quite persistent :/

Posted by: John Jan 4 2017, 10:11 PM
That's a fresh one apparently.

http://stopforumspam.com/ipcheck/176.214.149.255

Posted by: charlotte1912 Jan 7 2017, 12:47 AM
One more for the collection. At least it is less frequent now http://files.b1.jcink.com/html/emoticons/smile.gif

212.232.4.183

Posted by: John Jan 7 2017, 05:03 PM
Good to hear!

Posted by: charlotte1912 Jan 7 2017, 08:06 PM
The latest one was such a lovely message.. lol

Title: Asshole

Message: ...

Seems to have Dunald somewhere in the name of its hits.
IP: 5.57.218.204

Posted by: ajill Jan 9 2017, 04:14 AM
I have had the same happening lately John, here are the IP's i got:

217.23.14.190
192.36.27.4
34.195.147.209
134.249.52.48
178.213.191.22

I have banned those from my board but, they seem to just post wherever they are allowed and sadly (like wanted ads, face claims) i cannot close those for guests to post so, please help?

Posted by: John Jan 9 2017, 10:19 AM
I understand your frustration. I will look into adding a scan on all incoming IPs posting to guest forums as I am seeing more of this than just on your board(s). However it also isn't super widespread, either, at least not yet. I've walled those IP ranges for now as well, all /24s

Unfortunately the IP addresses used are also obviously very random. Spammers love guest forums as I said :/ I realize that many utilize the guest feature but it's always the biggest risk for spam, and the hardest to secure without making it a huge inconvenience to post.

Only about half of those IPs were listed in a spam database somewhere, so it won't be a silver bullet.

Posted by: John Jan 11 2017, 07:06 PM
I implemented scanning of guest IP addresses. Based on the data I've collected in the last 24 hours, about 2,000 attempts to spam have been blocked by the checking.

Have any of you had spam similar to the stuff reported in the last 24 hours?

Posted by: jess the hufflepuff Jan 13 2017, 10:05 PM
i've just recently started getting some spambots too!!

83.26.51.84
92.222.81.196
178.159.37.60

here's another ip for you
i'm a little confused, how are they getting past the capchas or are they actual people posting these?

Posted by: John Jan 13 2017, 10:11 PM
captchas have been broken for years. none of them are 100%, they try and try until it is broken, even at a 30% success rate. actual people are not posting these.

did all of those IPs appear today or is that from the past? the last two are being actively blocked. I counted 300 blocked attempts for the third IP, and 10 for the second. the first was unlisted for some reason, unfortunately, I just listed it now.

so far im seeing pretty good success with the blacklist checking. over 6,000 attempts blocked now.

Posted by: jess the hufflepuff Jan 13 2017, 11:08 PM
oooh had no idea!

178.159.37.60 was from the 11th of jan
5.166.196.156 [i didn't add this to the list, just noticed it] was from the 12th of jan
83.26.51.84 was from today
and i can't seem to find the 92 ip anymore

178.159.37.60 here's another one from the 10th! which is when they started, so i haven't had as much as the others that have been posting, but they seem to have only just started

i'll keep you updated if i get more

Posted by: clicker Jan 14 2017, 07:44 PM
IP: [ 185.154.13.7 ]
IP: [ 178.125.83.96 ]

these were maybe within the last couple of hours on shine!

Posted by: John Jan 14 2017, 07:46 PM
Looks like those are very fresh.

This doesn't look like it's going to stop any time soon, so moderation is going to be a must. The only thing we can do is try to change the captcha to something else, maybe add something that will confuse the bots for a while.

I'm seeing a much better situation though since I enabled the scanning of each guest IP.

Posted by: jess the hufflepuff Jan 15 2017, 03:55 PM
these are all from the last like 10 or so hours!

they both posted 2 different advertisements, as well!
5.164.245.37
95.79.82.33

Posted by: John Jan 15 2017, 04:01 PM
Those are fresh too, so I will add them, but this is becoming a game of cat & mouse.

IP banning specifically will not be effective so going forward I won't be banning anymore individual IPs unless I identify them to be highly toxic.

To date we've had about 10k attempts blocked by the scanning but it's missing the freshest of spammer IPs

Posted by: clicker Jan 15 2017, 06:21 PM
IP: [ 178.217.48.244 ]

thanks for taking the time to try & look into this! in the meantime, just deleting the posts really isn't that excess. :^ )

Posted by: serenity Jan 15 2017, 07:15 PM
caution and shine are getting quite a bit

ones from caution:

216.218.222.13
217.23.14.190
163.172.157.153
173.199.65.45
212.129.49.241
84.16.241.100
178.159.37.60
83.26.51.84
185.154.13.7
178.137.167.157
95.79.82.33
5.164.245.37

ones from shine:

185.2.101.31
95.25.70.109
46.119.5.2
46.118.153.29
178.137.18.32
77.234.44.159
173.254.197.71
37.113.13.8
193.93.195.60
117.235.134.236
178.159.37.60
46.0.104.169
178.213.6.189
176.8.88.79
91.243.93.241
5.167.116.41
109.227.124.83
109.162.122.6

while yes topics can be purged and/or moved, it's getting tedious and disabling guest posting isn't realistic for the ads area (though for some reason shine is getting all of them in the site necessities -> application templates area). i just hope this stops soon~

Posted by: John Jan 15 2017, 07:36 PM
Are those all of them overall or just from today? many of them are listed and being already actively blocked now as of Jan 11th when I added the scanning.

so far caution has about ~200 blocked from scanning and so does shine from my logs. about equal there with the # of attempts.

but some of them, for example, are getting in because of being very new, ex:

5.164.245.37

http://stopforumspam.com/ipcheck/5.164.245.37

just listed a couple hours ago unfortunately so it got you before it was listed.

in the next few days I will try adding a new line to the form to see if that helps. something basic like "Type the site's name here" or "What is 1+1" to see if I can at least temporarily throw off the bots.

Posted by: serenity Jan 15 2017, 07:42 PM
QUOTE (John @ Jan 15 2017, 05:36 PM)
Are those all of them overall or just from today? many of them are listed and being already actively blocked now as of Jan 11th when I added the scanning.

so far caution has about ~200 blocked from scanning and so does shine from my logs. about equal there with the # of attempts.

but some of them, for example, are getting in because of being very new, ex:

5.164.245.37

http://stopforumspam.com/ipcheck/5.164.245.37

just listed a couple hours ago unfortunately so it got you before it was listed.

in the next few days I will try adding a new line to the form to see if that helps. something basic like "Type the site's name here" or "What is 1+1" to see if I can at least temporarily throw off the bots.


all the caution ones are from the 3rd until today, and the shine ones are only from the past 2-5 days up until today (aside from two if the IPs that were a little bit before the spam bots went crazy).

i'm so glad you're gonna add something. hopefully it'll successfully throw them off and then it'll stop. i'll keep my fingers crossed! and thank you so much for being such an amazing hoster. the fact you're so on top of things and so fast is really appreciated.

Posted by: John Jan 15 2017, 07:44 PM
Ah, ok, that's good to know then.

It's only been about the past 4 days as it is since I started actively scanning each guest's IP to see if it's in SFS. So you should be happy to know that most of all the ones you've listed there are covered. Only the very newer listings, depending on when they hit, are getting to people now.

At the end of the week I'm going to compile all of the IPs collected as well in my log with number of attempts and firewall them directly based on their aggression type. Then the week after study the list again and see if I'm noticing a larger, smaller, or list of about the same size.

Posted by: jess the hufflepuff Jan 17 2017, 04:33 PM
Here's a new list if you're still collecting!
All from today, so they're probably new ~

5.164.231.21
5.164.244.188
5.166.215.176
95.79.129.161
109.63.162.249

thank you http://files.b1.jcink.com/html/emoticons/smile.gif

Posted by: John Jan 17 2017, 05:13 PM
Yes they are indeed. They've been already added to sfs I think I didn't check all of them. I'm not collecting IPs from individual postings anymore though as I've got my own logger but I appreciate the lists anyway!

Posted by: Delphi Jan 17 2017, 05:57 PM
These are from the last couple hours, I know you're not actively collecting but you did say you appreciated the lists, so I figured we'd just report.

46.148.127.76
95.79.82.33
5.164.245.37
5.164.231.21
5.164.244.188
5.166.215.176

Removing isn't bad, but these things are crazy, these few IP addresses posted approximately 12-15 posts of spam in the span of maybe 20 minutes?

Also to note: We are only seeing these excessive bot posts in our "Advertise" section and not our "guest Friendly" board even though they both have the same criteria to post (the security key).

not sure if that's helpful or not, but figured it was interesting since we haven't seen a single piece of spam in our guest friendly area.

Posted by: PANIC! ITS LAUZ Jan 17 2017, 08:24 PM
well regardless of whether or not they're helpful, or you're logging them yourself, figured i'd just post all the things i gathered from SHINE anyway. some of these were even posted in forums that only members can see? so it hasn't just been guest friendly boards either. all from the last few days.


5.167.116.41
5.3.196.2
37.113.13.8
46.0.104.169
46.0.28.125
46.118.153.29
46.119.5.2
46.191.222.231
77.234.44.159
91.243.93.241
95.25.70.109
109.162.122.6
109.227.124.83
117.235.134.236
173.254.197.71
176.214.117.82
176.8.88.79
178.137.18.32
178.159.37.60
178.213.6.189
185.2.101.31
193.93.195.60
185.2.101.31
95.25.70.109
46.119.5.2
46.118.153.29
178.137.18.32
77.234.44.159
173.254.197.71
37.113.13.8
193.93.195.60
117.235.134.236
178.159.37.60
46.0.104.169
178.213.6.189
176.8.88.79
91.243.93.241
5.167.116.41
109.227.124.83
109.162.122.6
5.3.196.2
46.0.28.125
5.164.217.230
5.164.193.203

Posted by: xo Lola Jan 17 2017, 09:50 PM
John

One of the spambots .... registered ???? to post ???? their garbage ???

this is a screenshot from Caution, the post has since been deleted but

how did it get past the captcha?

https://i.imgsafe.org/ed7748c521.png

Posted by: John Jan 17 2017, 09:50 PM
Here is a list I have just produced after about a week's worth of logging that I started on the 11th. I have parsed and compiled them.

CODE
deny 178.159.37.60; # dnsbl logged 1/17/2017 hits: 1561
deny 185.129.62.63; # dnsbl logged 1/17/2017 hits: 478
deny 128.52.128.105; # dnsbl logged 1/17/2017 hits: 406
deny 134.249.141.24; # dnsbl logged 1/17/2017 hits: 359
deny 134.249.51.228; # dnsbl logged 1/17/2017 hits: 328
deny 46.118.153.31; # dnsbl logged 1/17/2017 hits: 312
deny 46.188.28.235; # dnsbl logged 1/17/2017 hits: 294
deny 62.210.81.52; # dnsbl logged 1/17/2017 hits: 208
deny 37.46.228.194; # dnsbl logged 1/17/2017 hits: 206
deny 163.172.209.46; # dnsbl logged 1/17/2017 hits: 197
deny 192.36.27.4; # dnsbl logged 1/17/2017 hits: 170
deny 178.137.0.54; # dnsbl logged 1/17/2017 hits: 153
deny 37.115.199.53; # dnsbl logged 1/17/2017 hits: 146
deny 192.36.27.6; # dnsbl logged 1/17/2017 hits: 139
deny 84.16.241.100; # dnsbl logged 1/17/2017 hits: 131
deny 93.182.169.139; # dnsbl logged 1/17/2017 hits: 125
deny 178.159.37.8; # dnsbl logged 1/17/2017 hits: 125
deny 83.26.51.84; # dnsbl logged 1/17/2017 hits: 117
deny 78.109.24.109; # dnsbl logged 1/17/2017 hits: 116
deny 46.109.25.167; # dnsbl logged 1/17/2017 hits: 111
deny 209.222.77.220; # dnsbl logged 1/17/2017 hits: 111
deny 171.25.193.131; # dnsbl logged 1/17/2017 hits: 109
deny 87.110.28.32; # dnsbl logged 1/17/2017 hits: 107
deny 109.162.122.6; # dnsbl logged 1/17/2017 hits: 105
deny 163.172.67.180; # dnsbl logged 1/17/2017 hits: 100
deny 46.105.100.149; # dnsbl logged 1/17/2017 hits: 100
deny 46.166.148.176; # dnsbl logged 1/17/2017 hits: 98
deny 185.38.14.171; # dnsbl logged 1/17/2017 hits: 97
deny 109.86.72.150; # dnsbl logged 1/17/2017 hits: 92
deny 185.38.14.215; # dnsbl logged 1/17/2017 hits: 92
deny 37.195.200.165; # dnsbl logged 1/17/2017 hits: 91
deny 173.254.216.66; # dnsbl logged 1/17/2017 hits: 84
deny 213.159.38.90; # dnsbl logged 1/17/2017 hits: 81
deny 212.47.253.151; # dnsbl logged 1/17/2017 hits: 81
deny 62.210.129.246; # dnsbl logged 1/17/2017 hits: 79
deny 46.165.230.5; # dnsbl logged 1/17/2017 hits: 77
deny 185.104.120.3; # dnsbl logged 1/17/2017 hits: 77
deny 192.160.102.166; # dnsbl logged 1/17/2017 hits: 76
deny 191.96.249.110; # dnsbl logged 1/17/2017 hits: 74
deny 176.10.104.243; # dnsbl logged 1/17/2017 hits: 68
deny 216.239.90.19; # dnsbl logged 1/17/2017 hits: 68
deny 176.10.104.240; # dnsbl logged 1/17/2017 hits: 67
deny 163.172.223.200; # dnsbl logged 1/17/2017 hits: 67
deny 178.76.243.0; # dnsbl logged 1/17/2017 hits: 65
deny 94.142.242.84; # dnsbl logged 1/17/2017 hits: 62
deny 65.19.167.130; # dnsbl logged 1/17/2017 hits: 62
deny 46.101.98.208; # dnsbl logged 1/17/2017 hits: 62
deny 163.172.135.18; # dnsbl logged 1/17/2017 hits: 60
deny 207.244.70.35; # dnsbl logged 1/17/2017 hits: 60
deny 185.11.180.67; # dnsbl logged 1/17/2017 hits: 60
deny 65.19.167.131; # dnsbl logged 1/17/2017 hits: 59
deny 192.160.102.164; # dnsbl logged 1/17/2017 hits: 58
deny 85.192.162.173; # dnsbl logged 1/17/2017 hits: 58
deny 80.67.172.162; # dnsbl logged 1/17/2017 hits: 58
deny 62.210.81.152; # dnsbl logged 1/17/2017 hits: 57
deny 5.35.25.103; # dnsbl logged 1/17/2017 hits: 55
deny 89.218.186.82; # dnsbl logged 1/17/2017 hits: 54
deny 46.59.107.73; # dnsbl logged 1/17/2017 hits: 53
deny 171.25.193.132; # dnsbl logged 1/17/2017 hits: 53
deny 62.102.148.67; # dnsbl logged 1/17/2017 hits: 52
deny 46.118.157.125; # dnsbl logged 1/17/2017 hits: 52
deny 93.115.95.216; # dnsbl logged 1/17/2017 hits: 51
deny 212.109.201.73; # dnsbl logged 1/17/2017 hits: 51
deny 193.171.202.150; # dnsbl logged 1/17/2017 hits: 51
deny 95.154.145.139; # dnsbl logged 1/17/2017 hits: 50
deny 37.220.35.202; # dnsbl logged 1/17/2017 hits: 50
deny 185.129.62.62; # dnsbl logged 1/17/2017 hits: 49
deny 93.115.95.202; # dnsbl logged 1/17/2017 hits: 49
deny 151.249.254.251; # dnsbl logged 1/17/2017 hits: 49
deny 93.115.95.207; # dnsbl logged 1/17/2017 hits: 48
deny 216.218.222.13; # dnsbl logged 1/17/2017 hits: 48
deny 93.115.95.201; # dnsbl logged 1/17/2017 hits: 47
deny 62.210.81.154; # dnsbl logged 1/17/2017 hits: 47
deny 163.172.191.54; # dnsbl logged 1/17/2017 hits: 47
deny 178.159.37.75; # dnsbl logged 1/17/2017 hits: 47
deny 178.32.24.192; # dnsbl logged 1/17/2017 hits: 47
deny 85.248.227.163; # dnsbl logged 1/17/2017 hits: 47
deny 178.213.191.22; # dnsbl logged 1/17/2017 hits: 46
deny 176.195.6.172; # dnsbl logged 1/17/2017 hits: 46
deny 93.115.95.204; # dnsbl logged 1/17/2017 hits: 46
deny 193.201.225.61; # dnsbl logged 1/17/2017 hits: 45
deny 51.15.53.83; # dnsbl logged 1/17/2017 hits: 45
deny 178.32.24.196; # dnsbl logged 1/17/2017 hits: 45
deny 199.87.154.255; # dnsbl logged 1/17/2017 hits: 45
deny 5.199.130.188; # dnsbl logged 1/17/2017 hits: 44
deny 109.86.72.210; # dnsbl logged 1/17/2017 hits: 44
deny 51.15.39.2; # dnsbl logged 1/17/2017 hits: 44
deny 188.163.75.38; # dnsbl logged 1/17/2017 hits: 44
deny 94.231.151.120; # dnsbl logged 1/17/2017 hits: 42
deny 185.10.68.102; # dnsbl logged 1/17/2017 hits: 42
deny 46.28.107.82; # dnsbl logged 1/17/2017 hits: 40
deny 198.50.242.32; # dnsbl logged 1/17/2017 hits: 40
deny 176.8.104.192; # dnsbl logged 1/17/2017 hits: 40
deny 185.154.13.7; # dnsbl logged 1/17/2017 hits: 40
deny 163.172.190.191; # dnsbl logged 1/17/2017 hits: 40
deny 85.93.218.204; # dnsbl logged 1/17/2017 hits: 40
deny 109.201.133.100; # dnsbl logged 1/17/2017 hits: 39
deny 93.115.95.206; # dnsbl logged 1/17/2017 hits: 39
deny 204.85.191.30; # dnsbl logged 1/17/2017 hits: 38
deny 166.70.207.2; # dnsbl logged 1/17/2017 hits: 37
deny 65.19.167.132; # dnsbl logged 1/17/2017 hits: 37
deny 163.172.173.229; # dnsbl logged 1/17/2017 hits: 36
deny 185.29.255.27; # dnsbl logged 1/17/2017 hits: 36
deny 165.231.0.242; # dnsbl logged 1/17/2017 hits: 36
deny 178.32.51.225; # dnsbl logged 1/17/2017 hits: 36
deny 163.172.129.17; # dnsbl logged 1/17/2017 hits: 36
deny 46.166.148.177; # dnsbl logged 1/17/2017 hits: 35
deny 193.90.12.86; # dnsbl logged 1/17/2017 hits: 35
deny 51.15.36.187; # dnsbl logged 1/17/2017 hits: 35
deny 199.87.154.251; # dnsbl logged 1/17/2017 hits: 34
deny 64.113.32.29; # dnsbl logged 1/17/2017 hits: 34
deny 178.137.167.157; # dnsbl logged 1/17/2017 hits: 34
deny 195.154.122.54; # dnsbl logged 1/17/2017 hits: 33
deny 51.15.57.90; # dnsbl logged 1/17/2017 hits: 33
deny 163.172.170.212; # dnsbl logged 1/17/2017 hits: 33
deny 164.132.51.91; # dnsbl logged 1/17/2017 hits: 33
deny 46.166.148.143; # dnsbl logged 1/17/2017 hits: 33
deny 163.172.157.153; # dnsbl logged 1/17/2017 hits: 33
deny 51.15.43.205; # dnsbl logged 1/17/2017 hits: 33
deny 92.222.103.232; # dnsbl logged 1/17/2017 hits: 32
deny 89.144.12.15; # dnsbl logged 1/17/2017 hits: 32
deny 62.210.105.116; # dnsbl logged 1/17/2017 hits: 32
deny 164.132.104.166; # dnsbl logged 1/17/2017 hits: 31
deny 91.219.237.244; # dnsbl logged 1/17/2017 hits: 31
deny 85.248.227.164; # dnsbl logged 1/17/2017 hits: 31
deny 85.248.227.165; # dnsbl logged 1/17/2017 hits: 31
deny 91.205.239.219; # dnsbl logged 1/17/2017 hits: 30
deny 199.127.226.150; # dnsbl logged 1/17/2017 hits: 30
deny 174.57.158.160; # dnsbl logged 1/17/2017 hits: 30
deny 79.124.59.198; # dnsbl logged 1/17/2017 hits: 30
deny 149.202.98.160; # dnsbl logged 1/17/2017 hits: 30
deny 93.77.96.97; # dnsbl logged 1/17/2017 hits: 30
deny 178.20.55.16; # dnsbl logged 1/17/2017 hits: 29
deny 193.90.12.87; # dnsbl logged 1/17/2017 hits: 29
deny 46.166.148.152; # dnsbl logged 1/17/2017 hits: 29
deny 178.137.132.254; # dnsbl logged 1/17/2017 hits: 29
deny 176.120.255.15; # dnsbl logged 1/17/2017 hits: 28
deny 45.79.85.112; # dnsbl logged 1/17/2017 hits: 28
deny 69.30.215.94; # dnsbl logged 1/17/2017 hits: 27
deny 185.117.215.9; # dnsbl logged 1/17/2017 hits: 27
deny 151.80.238.152; # dnsbl logged 1/17/2017 hits: 27
deny 46.101.127.145; # dnsbl logged 1/17/2017 hits: 27
deny 79.124.59.202; # dnsbl logged 1/17/2017 hits: 26
deny 217.170.201.106; # dnsbl logged 1/17/2017 hits: 26
deny 51.15.47.106; # dnsbl logged 1/17/2017 hits: 26
deny 217.115.10.131; # dnsbl logged 1/17/2017 hits: 26
deny 37.48.80.101; # dnsbl logged 1/17/2017 hits: 26
deny 198.50.200.141; # dnsbl logged 1/17/2017 hits: 25
deny 195.123.209.184; # dnsbl logged 1/17/2017 hits: 25
deny 92.222.81.196; # dnsbl logged 1/17/2017 hits: 24
deny 46.166.148.142; # dnsbl logged 1/17/2017 hits: 24
deny 37.139.184.16; # dnsbl logged 1/17/2017 hits: 24
deny 185.100.87.186; # dnsbl logged 1/17/2017 hits: 23
deny 213.32.91.89; # dnsbl logged 1/17/2017 hits: 23
deny 95.161.239.151; # dnsbl logged 1/17/2017 hits: 23
deny 185.31.161.102; # dnsbl logged 1/17/2017 hits: 23
deny 209.222.77.221; # dnsbl logged 1/17/2017 hits: 23
deny 93.184.66.227; # dnsbl logged 1/17/2017 hits: 23
deny 149.202.98.161; # dnsbl logged 1/17/2017 hits: 23
deny 5.196.66.162; # dnsbl logged 1/17/2017 hits: 23
deny 144.217.161.119; # dnsbl logged 1/17/2017 hits: 23
deny 142.4.206.241; # dnsbl logged 1/17/2017 hits: 22
deny 51.254.23.231; # dnsbl logged 1/17/2017 hits: 22
deny 46.182.18.214; # dnsbl logged 1/17/2017 hits: 22
deny 81.162.228.42; # dnsbl logged 1/17/2017 hits: 22
deny 51.255.202.66; # dnsbl logged 1/17/2017 hits: 22
deny 216.218.222.10; # dnsbl logged 1/17/2017 hits: 22
deny 91.219.237.229; # dnsbl logged 1/17/2017 hits: 22
deny 149.56.229.17; # dnsbl logged 1/17/2017 hits: 22
deny 198.105.213.213; # dnsbl logged 1/17/2017 hits: 21
deny 198.50.200.134; # dnsbl logged 1/17/2017 hits: 21
deny 171.25.193.25; # dnsbl logged 1/17/2017 hits: 21
deny 176.214.117.82; # dnsbl logged 1/17/2017 hits: 21
deny 62.141.35.91; # dnsbl logged 1/17/2017 hits: 21
deny 46.182.18.29; # dnsbl logged 1/17/2017 hits: 21
deny 46.183.218.199; # dnsbl logged 1/17/2017 hits: 21
deny 94.26.140.150; # dnsbl logged 1/17/2017 hits: 21
deny 64.137.184.36; # dnsbl logged 1/17/2017 hits: 21
deny 91.138.253.244; # dnsbl logged 1/17/2017 hits: 21
deny 51.254.115.27; # dnsbl logged 1/17/2017 hits: 21
deny 198.50.200.135; # dnsbl logged 1/17/2017 hits: 20
deny 95.65.45.111; # dnsbl logged 1/17/2017 hits: 20
deny 158.130.0.242; # dnsbl logged 1/17/2017 hits: 20
deny 51.255.33.0; # dnsbl logged 1/17/2017 hits: 20
deny 5.2.75.199; # dnsbl logged 1/17/2017 hits: 19
deny 91.219.236.222; # dnsbl logged 1/17/2017 hits: 19
deny 37.139.8.104; # dnsbl logged 1/17/2017 hits: 19
deny 91.213.8.236; # dnsbl logged 1/17/2017 hits: 19
deny 31.31.74.69; # dnsbl logged 1/17/2017 hits: 18
deny 149.56.223.241; # dnsbl logged 1/17/2017 hits: 18
deny 176.31.180.157; # dnsbl logged 1/17/2017 hits: 18
deny 146.185.177.103; # dnsbl logged 1/17/2017 hits: 18
deny 87.118.116.90; # dnsbl logged 1/17/2017 hits: 18
deny 162.247.72.201; # dnsbl logged 1/17/2017 hits: 18
deny 193.90.12.90; # dnsbl logged 1/17/2017 hits: 18
deny 37.233.99.157; # dnsbl logged 1/17/2017 hits: 18
deny 216.218.222.12; # dnsbl logged 1/17/2017 hits: 18
deny 198.96.155.3; # dnsbl logged 1/17/2017 hits: 18
deny 108.175.11.230; # dnsbl logged 1/17/2017 hits: 18
deny 162.247.73.204; # dnsbl logged 1/17/2017 hits: 17
deny 176.102.32.243; # dnsbl logged 1/17/2017 hits: 17
deny 176.123.26.92; # dnsbl logged 1/17/2017 hits: 17
deny 176.213.249.225; # dnsbl logged 1/17/2017 hits: 17
deny 178.17.170.179; # dnsbl logged 1/17/2017 hits: 17
deny 146.185.163.44; # dnsbl logged 1/17/2017 hits: 17
deny 31.41.219.228; # dnsbl logged 1/17/2017 hits: 17
deny 91.219.236.136; # dnsbl logged 1/17/2017 hits: 17
deny 193.90.12.88; # dnsbl logged 1/17/2017 hits: 17
deny 151.80.38.67; # dnsbl logged 1/17/2017 hits: 17
deny 46.39.54.229; # dnsbl logged 1/17/2017 hits: 17
deny 62.212.73.141; # dnsbl logged 1/17/2017 hits: 17
deny 163.172.151.47; # dnsbl logged 1/17/2017 hits: 17
deny 163.172.136.101; # dnsbl logged 1/17/2017 hits: 16
deny 193.90.12.89; # dnsbl logged 1/17/2017 hits: 16
deny 185.14.29.129; # dnsbl logged 1/17/2017 hits: 16
deny 89.223.27.241; # dnsbl logged 1/17/2017 hits: 16
deny 62.80.200.190; # dnsbl logged 1/17/2017 hits: 16
deny 94.242.55.220; # dnsbl logged 1/17/2017 hits: 16
deny 194.88.143.66; # dnsbl logged 1/17/2017 hits: 16
deny 195.154.7.245; # dnsbl logged 1/17/2017 hits: 16
deny 91.134.232.48; # dnsbl logged 1/17/2017 hits: 16
deny 79.172.193.32; # dnsbl logged 1/17/2017 hits: 16
deny 185.100.87.241; # dnsbl logged 1/17/2017 hits: 16
deny 149.56.229.16; # dnsbl logged 1/17/2017 hits: 16
deny 185.31.162.245; # dnsbl logged 1/17/2017 hits: 16
deny 92.222.84.136; # dnsbl logged 1/17/2017 hits: 16
deny 91.213.8.84; # dnsbl logged 1/17/2017 hits: 16
deny 91.121.77.37; # dnsbl logged 1/17/2017 hits: 15
deny 173.208.213.114; # dnsbl logged 1/17/2017 hits: 15
deny 167.114.89.195; # dnsbl logged 1/17/2017 hits: 15
deny 51.15.58.152; # dnsbl logged 1/17/2017 hits: 15
deny 217.115.10.132; # dnsbl logged 1/17/2017 hits: 15
deny 109.86.72.163; # dnsbl logged 1/17/2017 hits: 15
deny 51.15.46.217; # dnsbl logged 1/17/2017 hits: 15
deny 162.247.72.27; # dnsbl logged 1/17/2017 hits: 15
deny 45.62.246.91; # dnsbl logged 1/17/2017 hits: 15
deny 46.29.248.238; # dnsbl logged 1/17/2017 hits: 14
deny 89.248.166.157; # dnsbl logged 1/17/2017 hits: 14
deny 162.247.72.7; # dnsbl logged 1/17/2017 hits: 14
deny 46.183.221.231; # dnsbl logged 1/17/2017 hits: 14
deny 95.153.32.10; # dnsbl logged 1/17/2017 hits: 14
deny 185.100.86.100; # dnsbl logged 1/17/2017 hits: 14
deny 212.47.246.21; # dnsbl logged 1/17/2017 hits: 14
deny 163.172.137.174; # dnsbl logged 1/17/2017 hits: 14
deny 198.100.148.112; # dnsbl logged 1/17/2017 hits: 14
deny 5.2.75.25; # dnsbl logged 1/17/2017 hits: 14
deny 217.12.199.87; # dnsbl logged 1/17/2017 hits: 14
deny 94.242.57.198; # dnsbl logged 1/17/2017 hits: 14
deny 77.109.139.87; # dnsbl logged 1/17/2017 hits: 13
deny 5.196.1.129; # dnsbl logged 1/17/2017 hits: 13
deny 137.74.169.241; # dnsbl logged 1/17/2017 hits: 13
deny 185.154.13.103; # dnsbl logged 1/17/2017 hits: 13
deny 87.118.115.176; # dnsbl logged 1/17/2017 hits: 13
deny 185.29.8.211; # dnsbl logged 1/17/2017 hits: 13
deny 178.17.170.212; # dnsbl logged 1/17/2017 hits: 12
deny 77.121.194.65; # dnsbl logged 1/17/2017 hits: 12
deny 159.203.11.12; # dnsbl logged 1/17/2017 hits: 12
deny 162.247.72.199; # dnsbl logged 1/17/2017 hits: 12
deny 178.17.170.27; # dnsbl logged 1/17/2017 hits: 12
deny 64.137.201.90; # dnsbl logged 1/17/2017 hits: 12
deny 83.143.245.68; # dnsbl logged 1/17/2017 hits: 12
deny 162.247.72.213; # dnsbl logged 1/17/2017 hits: 12
deny 195.228.45.176; # dnsbl logged 1/17/2017 hits: 12
deny 162.247.73.74; # dnsbl logged 1/17/2017 hits: 12
deny 167.114.230.104; # dnsbl logged 1/17/2017 hits: 11
deny 93.174.93.133; # dnsbl logged 1/17/2017 hits: 11
deny 176.195.89.31; # dnsbl logged 1/17/2017 hits: 11
deny 199.254.238.44; # dnsbl logged 1/17/2017 hits: 11
deny 97.74.237.196; # dnsbl logged 1/17/2017 hits: 11
deny 193.169.135.133; # dnsbl logged 1/17/2017 hits: 11
deny 46.182.19.219; # dnsbl logged 1/17/2017 hits: 11
deny 163.172.217.50; # dnsbl logged 1/17/2017 hits: 11
deny 92.222.6.12; # dnsbl logged 1/17/2017 hits: 11
deny 113.18.193.4; # dnsbl logged 1/17/2017 hits: 11
deny 64.27.17.140; # dnsbl logged 1/17/2017 hits: 11
deny 91.76.1.131; # dnsbl logged 1/17/2017 hits: 11
deny 178.175.131.194; # dnsbl logged 1/17/2017 hits: 11
deny 109.227.124.83; # dnsbl logged 1/17/2017 hits: 11
deny 64.137.210.97; # dnsbl logged 1/17/2017 hits: 11
deny 93.158.215.99; # dnsbl logged 1/17/2017 hits: 10
deny 87.118.122.51; # dnsbl logged 1/17/2017 hits: 10
deny 162.243.215.7; # dnsbl logged 1/17/2017 hits: 10
deny 162.243.166.137; # dnsbl logged 1/17/2017 hits: 10
deny 178.17.170.164; # dnsbl logged 1/17/2017 hits: 10
deny 87.98.152.151; # dnsbl logged 1/17/2017 hits: 10
deny 212.112.118.198; # dnsbl logged 1/17/2017 hits: 10
deny 113.18.193.7; # dnsbl logged 1/17/2017 hits: 10
deny 176.104.53.131; # dnsbl logged 1/17/2017 hits: 10
deny 173.79.162.220; # dnsbl logged 1/17/2017 hits: 10
deny 209.249.180.198; # dnsbl logged 1/17/2017 hits: 10
deny 91.121.87.126; # dnsbl logged 1/17/2017 hits: 10
deny 93.158.216.52; # dnsbl logged 1/17/2017 hits: 10
deny 51.15.40.233; # dnsbl logged 1/17/2017 hits: 10
deny 64.137.212.84; # dnsbl logged 1/17/2017 hits: 9
deny 23.82.104.14; # dnsbl logged 1/17/2017 hits: 9
deny 185.156.173.239; # dnsbl logged 1/17/2017 hits: 9
deny 113.18.193.5; # dnsbl logged 1/17/2017 hits: 9
deny 188.126.81.155; # dnsbl logged 1/17/2017 hits: 9
deny 113.18.193.6; # dnsbl logged 1/17/2017 hits: 9
deny 176.194.153.244; # dnsbl logged 1/17/2017 hits: 9
deny 94.242.55.221; # dnsbl logged 1/17/2017 hits: 9
deny 89.74.29.182; # dnsbl logged 1/17/2017 hits: 9
deny 67.205.146.164; # dnsbl logged 1/17/2017 hits: 9
deny 80.240.139.111; # dnsbl logged 1/17/2017 hits: 9
deny 31.185.104.19; # dnsbl logged 1/17/2017 hits: 9
deny 198.50.231.22; # dnsbl logged 1/17/2017 hits: 9
deny 64.137.244.96; # dnsbl logged 1/17/2017 hits: 9
deny 162.247.72.202; # dnsbl logged 1/17/2017 hits: 9
deny 192.36.27.7; # dnsbl logged 1/17/2017 hits: 9
deny 185.72.244.24; # dnsbl logged 1/17/2017 hits: 9
deny 84.53.232.154; # dnsbl logged 1/17/2017 hits: 9
deny 178.17.173.22; # dnsbl logged 1/17/2017 hits: 9
deny 188.123.59.177; # dnsbl logged 1/17/2017 hits: 8
deny 108.61.122.88; # dnsbl logged 1/17/2017 hits: 8
deny 212.83.40.238; # dnsbl logged 1/17/2017 hits: 8
deny 107.182.131.117; # dnsbl logged 1/17/2017 hits: 8
deny 69.162.139.9; # dnsbl logged 1/17/2017 hits: 8
deny 208.12.64.252; # dnsbl logged 1/17/2017 hits: 8
deny 209.133.66.214; # dnsbl logged 1/17/2017 hits: 8
deny 87.118.122.50; # dnsbl logged 1/17/2017 hits: 8
deny 216.230.148.77; # dnsbl logged 1/17/2017 hits: 8
deny 87.118.122.30; # dnsbl logged 1/17/2017 hits: 7
deny 120.52.73.97; # dnsbl logged 1/17/2017 hits: 7
deny 185.29.8.132; # dnsbl logged 1/17/2017 hits: 7
deny 91.213.8.235; # dnsbl logged 1/17/2017 hits: 7
deny 185.16.200.176; # dnsbl logged 1/17/2017 hits: 7
deny 23.82.104.9; # dnsbl logged 1/17/2017 hits: 7
deny 89.38.208.57; # dnsbl logged 1/17/2017 hits: 7
deny 46.166.162.53; # dnsbl logged 1/17/2017 hits: 7
deny 89.187.144.122; # dnsbl logged 1/17/2017 hits: 7
deny 64.124.32.84; # dnsbl logged 1/17/2017 hits: 7
deny 176.58.100.98; # dnsbl logged 1/17/2017 hits: 7
deny 198.58.100.240; # dnsbl logged 1/17/2017 hits: 7
deny 95.130.11.155; # dnsbl logged 1/17/2017 hits: 7
deny 5.18.69.4; # dnsbl logged 1/17/2017 hits: 7
deny 178.17.174.32; # dnsbl logged 1/17/2017 hits: 7
deny 162.247.72.217; # dnsbl logged 1/17/2017 hits: 7
deny 145.255.2.2; # dnsbl logged 1/17/2017 hits: 6
deny 88.80.7.5; # dnsbl logged 1/17/2017 hits: 6
deny 179.43.169.2; # dnsbl logged 1/17/2017 hits: 6
deny 89.45.226.28; # dnsbl logged 1/17/2017 hits: 6
deny 178.17.174.10; # dnsbl logged 1/17/2017 hits: 6
deny 95.130.10.216; # dnsbl logged 1/17/2017 hits: 6
deny 204.17.56.42; # dnsbl logged 1/17/2017 hits: 6
deny 212.83.40.239; # dnsbl logged 1/17/2017 hits: 6
deny 94.23.173.249; # dnsbl logged 1/17/2017 hits: 6
deny 195.9.208.71; # dnsbl logged 1/17/2017 hits: 6
deny 31.185.104.20; # dnsbl logged 1/17/2017 hits: 6
deny 87.118.92.43; # dnsbl logged 1/17/2017 hits: 6
deny 199.68.196.124; # dnsbl logged 1/17/2017 hits: 6
deny 192.195.80.10; # dnsbl logged 1/17/2017 hits: 6
deny 185.100.85.61; # dnsbl logged 1/17/2017 hits: 6
deny 198.167.223.38; # dnsbl logged 1/17/2017 hits: 6
deny 95.142.161.63; # dnsbl logged 1/17/2017 hits: 6
deny 204.194.29.4; # dnsbl logged 1/17/2017 hits: 6
deny 204.8.156.142; # dnsbl logged 1/17/2017 hits: 6
deny 104.236.141.156; # dnsbl logged 1/17/2017 hits: 6
deny 193.110.157.151; # dnsbl logged 1/17/2017 hits: 6
deny 185.100.84.82; # dnsbl logged 1/17/2017 hits: 6
deny 62.141.55.117; # dnsbl logged 1/17/2017 hits: 6
deny 162.247.72.216; # dnsbl logged 1/17/2017 hits: 5
deny 208.123.223.254; # dnsbl logged 1/17/2017 hits: 5
deny 178.17.171.40; # dnsbl logged 1/17/2017 hits: 5
deny 209.141.46.75; # dnsbl logged 1/17/2017 hits: 5
deny 139.162.144.133; # dnsbl logged 1/17/2017 hits: 5
deny 173.242.119.37; # dnsbl logged 1/17/2017 hits: 5
deny 85.143.210.233; # dnsbl logged 1/17/2017 hits: 5
deny 64.137.243.67; # dnsbl logged 1/17/2017 hits: 5
deny 176.100.111.30; # dnsbl logged 1/17/2017 hits: 5
deny 185.100.86.110; # dnsbl logged 1/17/2017 hits: 5
deny 209.66.119.150; # dnsbl logged 1/17/2017 hits: 5
deny 5.189.188.111; # dnsbl logged 1/17/2017 hits: 5
deny 185.104.120.2; # dnsbl logged 1/17/2017 hits: 5
deny 185.100.86.199; # dnsbl logged 1/17/2017 hits: 5
deny 149.91.89.218; # dnsbl logged 1/17/2017 hits: 5
deny 46.166.148.155; # dnsbl logged 1/17/2017 hits: 5
deny 46.105.81.214; # dnsbl logged 1/17/2017 hits: 5
deny 91.207.7.2; # dnsbl logged 1/17/2017 hits: 5
deny 58.217.195.141; # dnsbl logged 1/17/2017 hits: 5
deny 178.137.167.137; # dnsbl logged 1/17/2017 hits: 5
deny 209.249.157.69; # dnsbl logged 1/17/2017 hits: 5
deny 159.203.15.136; # dnsbl logged 1/17/2017 hits: 5
deny 113.18.193.3; # dnsbl logged 1/17/2017 hits: 5
deny 87.98.178.61; # dnsbl logged 1/17/2017 hits: 5
deny 46.38.48.12; # dnsbl logged 1/17/2017 hits: 5
deny 91.134.232.49; # dnsbl logged 1/17/2017 hits: 5
deny 204.11.50.131; # dnsbl logged 1/17/2017 hits: 5


These have all been firewalled directly now and I'll be collecting a new list. Should you have been hit in the past by any of these IPs above you will no longer be hit by them as of today. This list comes from 15,000 failed attempts because of being spam listed. In addition some subnets that I have elected to block are not shown there as well and are taken care of.

Posted by: John Jan 17 2017, 09:54 PM
QUOTE (xo Lola @ Jan 17 2017, 10:50 PM)
John

One of the spambots .... registered ???? to post ???? their garbage ???

this is a screenshot from Caution, the post has since been deleted but

how did it get past the captcha?

https://i.imgsafe.org/ed7748c521.png


broken captcha.

we don't use a particularly strong captcha to begin with, because they are very annoying and it hasn't been necessary, perhaps until now. I may try reCaptcha because they've got the little checkbox feature now, but http://news.softpedia.com/news/google-recaptcha-cracked-in-new-automated-attack-502677.shtml either.

I'm exploring new options even if they will temporarily throw them off for a while.

Posted by: jess the hufflepuff Jan 18 2017, 04:39 PM
hi me again!

just one this time:
83.7.72.143

Posted by: page thirteen. Jan 18 2017, 08:21 PM
I've got IP addresses from two sites that have been hit in the past two days - I've checked and they're not on the list above, so I hope this is helpful!

5.3.214.227
5.3.208.196
83.7.106.53
95.79.135.86

Posted by: John Jan 18 2017, 10:38 PM
I have installed recaptcha checkbox as a trial.

I am logging both failed attempts and successful attempts, so we will see what the results are.

It is significantly more annoying though because the more you post, the more it will force you to do activities such as pick out what images are similar, etc but there is nothing I can do about that for the moment.

Posted by: John Jan 19 2017, 12:31 PM
Seeing really good success in the last 12 hours, here is just a clip of everything that was blocked by reCaptcha

QUOTE
188.163.73.42 == Topic Title: [Производство сварных балок любой сложности. Изготовление сварных балок по ГОСТ и СТО]
-- 212.159.91.21 == Topic Title: [Grown up position]
-- 188.163.73.42 == Topic Title: [Производство сварных балок любой сложности. Изготовление сварных балок по ГОСТ и СТО]
-- 5.164.178.248 == Topic Title: [Podskali where to buy a new iPhone? I can not find in Moscow ...]
_ -- 5.164.198.102 == Topic Title: [Form cheaply products no remedy]
_ -- 155.4.212.181 == Topic Title: [Бесплатные секс и порно фото галереи]
_ -- 5.164.178.248 == Topic Title: [The original idea. I wonder how much time he spent on it]
_ -- 83.22.119.144 == Topic Title: [Test, just a test]
-- 5.164.198.102 == Topic Title: [Form cheap products no instruction]
_ -- 139.59.158.210 == Topic Title: [  Pictures from collective networks ]
-- 31.19.158.50 == Topic Title: [Ряд порно фото для взрослых]
-- 163.172.209.74 == Topic Title: [Sexual pictures]
-- 163.172.209.74 == Topic Title: [New Protrude]
-- 188.163.73.42 == Topic Title: [Резка листового металла по низким ценам. Дёшево, качественно и в срок]
-- 188.163.73.42 == Topic Title: [Производство сварных балок любой сложности. Изготовление сварных балок по ГОСТ и СТО]
-- 94.136.203.193 == Topic Title: [Whither Free Watch Star Wars: Episode VIII (2017) Without Paying Part 1 720px?!!]
-- 37.229.197.94 == Topic Title: [Tinedol – эффективное средство от грибка]
-- 213.32.55.247 == Topic Title: [Free galleries]
-- 176.120.254.130 == Topic Title: [Investment projects]
-- 88.150.148.27 == Topic Title: [  Grown up galleries  ]
_ -- 72.65.231.150 == Topic Title: [A  Walk Among the Tombstones ]
_ -- 37.229.197.94 == Topic Title: [Tinedol – эффективное средство от грибка]
-- 188.163.73.42 == Topic Title: [Производство сварных балок любой сложности. Изготовление сварных балок по ГОСТ и СТО]
-- 188.163.73.42 == Topic Title: [Резка листового металла по низким ценам. Дёшево, качественно и в срок]
-- 87.118.110.233 == Topic Title: [   Free galleries  ]
-- 188.163.73.42 == Topic Title: [Изготов]
-- 37.229.197.94 == Topic Title: [Tinedol]
-- 188.163.73.42 == Topic Title: [Строите]
_ -- 94.102.50.42 == Topic Title: [Callow Job]
-- 37.229.197.94 == Topic Title: [Tinedol]
_ -- 188.163.73.42 == Topic Title: [Строительство быстровозводимых зданий и ангаров из металлоконструкций с применением сэндвич панелей на основе быстровозводимых конструкций от компании]
-- 213.108.105.71 == Topic Title: [Adult site]
-- 188.163.73.42 == Topic Title: [Услуги металлообработки на заказ по низким ценам от компании]
-- 89.109.224.213 == Topic Title: [  Adult galleries  ]
-- 51.15.55.140 == Topic Title: [My new website]
-- 139.59.158.210 == Topic Title: [Experimental Poke out]
-- 213.32.55.247 == Topic Title: [Mature galleries]
-- 62.210.254.201 == Topic Title: [Порно фото - уставиться онлайн безмездно]
-- 75.70.55.86 == Topic Title: [Southern Winds Weyr]
-- 31.19.158.50 == Topic Title: [Бесплатная эротика и секс фото галереи]


I'm also keeping track of guest captcha success, and at this time out of the hundreds of guest postings I'm not seeing a single one that is spam.

DNSBLs are also updating more frequently.

I will probably build reCaptcha into the registration system next if this continues to work out.

Posted by: John Jan 20 2017, 02:23 PM
Seeing -really- good results here with everything I've done.

How about everyone else? Anything at all yesterday or today?

Posted by: microneppy Jan 22 2017, 08:39 AM
I think there are two ways it could be prevented:

* Auto IP-ban any user that directly hits the register page on their first visit to the site. Spammers tend to hit straight onto the register page with either no referrer or a junk referrer from a spam site, I've seen a few hit the index beforehand but they rarely do so. Real users 99% of the time see the index page or a thread before registering.

* Implement the StopForumSpam API into the register and login page, and IP ban any matches.

I've dealt with these bots before on XMB and MyBB boards, by the way. They use some kind of tool like XRumer or Scrapebox to spam from multiple IPs from a VPS.

As well, forum admins, implement a good security question! Something like "What is 4 + 18 -7" would be easily solvable, whereas asking questions about the forum itself would be less obvious, but spammers would be destroyed.

Posted by: John Jan 22 2017, 12:08 PM
QUOTE
* Auto IP-ban any user that directly hits the register page on their first visit to the site. Spammers tend to hit straight onto the register page with either no referrer or a junk referrer from a spam site, I've seen a few hit the index beforehand but they rarely do so. Real users 99% of the time see the index page or a thread before registering.


Then these are the exception. They're not going for the register page at all in my logs, they hit the index, then the bot scans for guest forums. I think they look for keywords such as "Advertise" and wiggle their way in. Their referrers are clean too. We already do quite a bit on the backend to check for patterns as well that I won't mention here in case these guys are reading this board.

QUOTE
* Implement the StopForumSpam API into the register and login page, and IP ban any matches.


Already being done for years, I love SFS and they do a great job. We can't use their API specifically because of too many requests but their database is dl'd and run on one of my servers for our high-use only. http://files.b1.jcink.com/html/emoticons/smile.gif

We have always used SFS for the registration page. Login page is too aggressive. But the focus has been on guests only -- now we are scanning every guest IP and that's going well too.

The problem with SFS now though, is that it's very effective... but not in this instance. SFS is missing -many- of these IP addresses, just by a few hours in some cases. These guys are getting fresh addresses and dumping them very quickly.

Xrumer has been a pain in my ass for... years, but I've been able to thwart them with my own funky captcha and SFS. It looks like that will no longer be an option

I'm thinking they did yet another revision to the software. But these guys cannot get past this reCaptcha at the security level I have set now, and thankfully google had made it possible to implement reCaptcha a lot easier in a service like ours with tons of subdomains and domains, so it couldn't have happened at a better time. I never liked reCaptcha because it was not that great and the "captchas" could be purchased for pennies on the dollar. Things have changed quite a bit...

QUOTE
As well, forum admins, implement a good security question! Something like "What is 4 + 18 -7" would be easily solvable, whereas asking questions about the forum itself would be less obvious, but spammers would be destroyed.


They can't do this since it isn't an option on our service, BUT, since the current captcha is finally dead I will be replacing it with this option as I know exactly what you mean.

Posted by: jess the hufflepuff Jan 22 2017, 06:01 PM
update: everything seems 100% thank you so much!!

Posted by: John Jan 23 2017, 09:31 PM
Good to hear. My logs basically confirm the same thing. There is near 100% success rate in keeping these guys out. In fact I think so far it *is* 100% and only a couple of manual spammers got in, according to my logs.

So we're in extremely good shape, they are trying super hard to post garbage but failing. I have a reCaptcha failure log thousands and thousands of lines long with "Из окон отеля Мардан Турция всегда идеал&" and "Жители Турции – общество и этикет" for the topic titles - whatever those mean, but definitely spam content.

I've hooked up reCaptcha to the registration page as well so they cannot decide to strike that page.

Meanwhile, SFS is still blocking tons of them before they even reach the page.

Posted by: serenity Jan 12 2018, 04:54 AM
getting spam again, most originating from the first IP on this list, but thought i'd give a heads up.

here are some IPs (the first one spammed three separate times after we thought it was banned but apparently not):
46.118.112.109
95.79.176.125

Posted by: John Jan 12 2018, 12:33 PM
Those two should not be a problem anymore. I refreshed and rebuilt the SFS database also.

46.118.112.109 looks like an "essay" spammer of some type. I'm tempted to just block that whole ASN.

Doing some research looks like reCaptcha v2 was cracked late this year:

https://community.webroot.com/t5/Security-Industry-News/Google-s-reCaptcha-Cracked-Again/td-p/305247

Someone created this tool to solve the new captcha through the audio function, great:

https://github.com/ecthros/uncaptcha

Some of these spammers are willing to pay for the voice recognition services to get past the captcha. I'll try to find a way to disable the audio option and see if we have greater success, but I'm not seeing it anywhere.

Posted by: serenity Jan 13 2018, 10:11 AM
thanks so much john for working so hard to get this handled. you are awesome! here's hoping you can figure out a way to disable the audio, sucks that it got cracked. it's also ironic that exactly a year later they're back, lol.

here are some more IPs:
5.3.214.178
95.79.213.164
95.79.95.154

Posted by: John Jan 14 2018, 12:36 PM
I have looked and thus far there does not seem to be a way to disable the audio. Many have asked for this but no response.

We will not have a captcha that works as effectively as before until this option is added by Google, board owners will need to be vigilant in clearing spam from guest enabled forums until then.

I recommend wildcard blocking repeat /16s that you see, ex 95.79.*.*

'
Powered by Invision Power Board (http://www.invisionboard.com)
© Invision Power Services (http://www.invisionpower.com)